SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Circuit ALLOWED_TREASURE_HASHES contains only 9 unique hashes (missing 9th), bricking the honest withdraw() path

arcwren

Description

Normal behavior: The Noir circuit at circuits/src/main.nr embeds a 10-element ALLOWED_TREASURE_HASHES array, one hash per treasure. Each entry must be a distinct Pedersen hash so that 10 separate treasure preimages can produce distinct valid proofs, and the Solidity withdraw() function (gated on claimsCount >= MAX_TREASURES = 10) becomes reachable on the honest happy path after all treasures are claimed.

Specific issue: The ALLOWED_TREASURE_HASHES array at circuits/src/main.nr:55-66 contains only 9 unique values — indices 8 and 9 hold the same hash (-961435057317293580094826482786572873533235701183329831124091847635547871092). Cross-referencing the Deploy script's documented intended 10-hash set at contracts/scripts/Deploy.s.sol:17-26 confirms that the 9th intended hash (-4417726114039171734934559783368726413190541565291523767661452385022043124552) is absent from the circuit. The 10th hash appears twice.

// circuits/src/main.nr
global ALLOWED_TREASURE_HASHES: [Field; 10] = [
1505662313093145631275418581390771847921541863527840230091007112166041775502,
-7876059170207639417138377068663245559360606207000570753582208706879316183353,
-5602859741022561807370900516277986970516538128871954257532197637239594541050,
2256689276847399345359792277406644462014723416398290212952821205940959307205,
10311210168613568792124008431580767227982446451742366771285792060556636004770,
-5697637861416433807484703347699404695743570043365849280798663758395067508,
-2009295789879562882359281321158573810642695913475210803991480097462832104806,
8931814952839857299896840311953754931787080333405300398787637512717059406908,
-961435057317293580094826482786572873533235701183329831124091847635547871092, //@> duplicate of next
-961435057317293580094826482786572873533235701183329831124091847635547871092 //@> 9th intended hash missing
];

The accompanying test circuits/src/tests.nr::test_treasure_hunt_all_treasures_success passes only because it uses treasures = [1, 2, 3, 4, 5, 6, 7, 8, 10, 10] — treasure #9 is silently replaced by a second instance of #10, which is exactly the bug.

Risk

Likelihood: HIGH

Reason 1: The bug is present in the current code; no conditional trigger required. Any deployment that uses the current circuit artifacts has this issue.

Reason 2: The intended 9th treasure finder cannot generate a valid proof — their treasure's hash is not in ALLOWED_TREASURE_HASHES, so is_allowed(treasure_hash) returns false and the circuit's first assertion fails.

Impact: HIGH

Impact 1: The intended 9th-treasure finder is permanently deprived of their 10 ETH reward. The on-chain contract has no mechanism to accept a new circuit or to refund an unclaimable secret — they receive nothing.

Impact 2: withdraw() at contracts/src/TreasureHunt.sol:223-232 is gated on claimsCount >= MAX_TREASURES = 10, but honest claims can reach at most 9 (one hash is unclaimable). Therefore withdraw() is permanently unreachable on the happy path. The remaining 10 ETH of contract funding becomes stuck unless the owner falls back to pause() + emergencyWithdraw() (which is documented only as an emergency escape, not a business-as-usual fund-recovery path, and forbids recipient == owner forcing a relay through a secondary address).

Combined: ~10 ETH (one reward's worth) at risk plus a broken post-hunt settlement flow + the protocol's "10 treasures / 100 ETH" user-facing promise in the README is violated.

Proof of Concept

This is a setup / circuit-data correctness finding; the evidence is in-scope static inspection + a passing existing test that silently relies on the bug.

  1. Array inspection: circuits/src/main.nr:55-66 (shown above) shows indices 8 and 9 are literally the same number.

  2. Cross-reference with Deploy: contracts/scripts/Deploy.s.sol:17-26 (the doc-comment list of intended hashes) includes -4417726114...3124552 as the 9th hash, which is absent from the circuit.

  3. Cryptographic confirmation via the contest's own test:

// circuits/src/tests.nr::test_treasure_hunt_all_treasures_success (PASSES)
#[test]
fn test_treasure_hunt_all_treasures_success() {
let treasures: [Field; 10] = [1, 2, 3, 4, 5, 6, 7, 8, 10, 10]; //@> [1..8, 10, 10] — treasure 9 absent
for i in 0..10 {
let treasure = treasures[i];
let treasure_hash = ALLOWED_TREASURE_HASHES[i];
let recipient: Field = 2;
main(treasure, treasure_hash, recipient);
}
}

This test passes iff pedersen_hash([treasures[i]]) == ALLOWED_TREASURE_HASHES[i] for all i — and it passes with treasure 9 == 10 (the test substitutes treasure #10 for treasure #9's slot because no integer hashes to ALLOWED_TREASURE_HASHES[8] except 10).

  1. Withdraw-gating check (Solidity, in-scope):

// contracts/src/TreasureHunt.sol:223
function withdraw() external {
require(claimsCount >= MAX_TREASURES, "HUNT_NOT_OVER"); //@> gates on 10; honest claims reach at most 9
uint256 balance = address(this).balance;
require(balance > 0, "NO_FUNDS_TO_WITHDRAW");
(bool sent, ) = owner.call{value: balance}("");
require(sent, "ETH_TRANSFER_FAILED");
emit Withdrawn(balance, address(this).balance);
}

A Foundry test demonstrating the happy-path reachability failure:

function test_withdraw_bricked_on_honest_path() public {
// Simulate the ONLY-9-CLAIMS state (what honest participants can achieve).
// We use a test harness that simulates the state where 9 distinct claims
// succeeded and no further claim can succeed because treasure #9 is
// unclaimable.
for (uint256 i = 0; i < 9; i++) {
vm.prank(participant);
hunt.claim(proof, bytes32(uint256(i + 1)), payable(address(uint160(0xABCD + i))));
}
assertEq(hunt.claimsCount(), 9);
assertLt(hunt.claimsCount(), hunt.MAX_TREASURES());
// withdraw() reverts because HUNT_NOT_OVER.
vm.expectRevert(bytes("HUNT_NOT_OVER"));
hunt.withdraw();
}

Recommended Mitigation

Replace circuits/src/main.nr:64 (or the index-8 slot) with the missing 9th hash from the Deploy script's documented set, then regenerate contracts/src/Verifier.sol via circuits/scripts/build.sh:

global ALLOWED_TREASURE_HASHES: [Field; 10] = [
1505662313093145631275418581390771847921541863527840230091007112166041775502,
-7876059170207639417138377068663245559360606207000570753582208706879316183353,
-5602859741022561807370900516277986970516538128871954257532197637239594541050,
2256689276847399345359792277406644462014723416398290212952821205940959307205,
10311210168613568792124008431580767227982446451742366771285792060556636004770,
-5697637861416433807484703347699404695743570043365849280798663758395067508,
-2009295789879562882359281321158573810642695913475210803991480097462832104806,
8931814952839857299896840311953754931787080333405300398787637512717059406908,
- -961435057317293580094826482786572873533235701183329831124091847635547871092,
+ -4417726114039171734934559783368726413190541565291523767661452385022043124552,
-961435057317293580094826482786572873533235701183329831124091847635547871092
];

Also fix circuits/src/tests.nr::test_treasure_hunt_all_treasures_success to use treasures = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] — the test should catch the exact class of bug that's present today.

Add a uniqueness invariant test:

#[test]
fn test_allowed_hashes_are_unique() {
for i in 0..10 {
for j in (i+1)..10 {
assert(ALLOWED_TREASURE_HASHES[i] != ALLOWED_TREASURE_HASHES[j]);
}
}
}
Updates

Lead Judging Commences

s3mvl4d Lead Judge 18 days ago
Submission Judgement Published
Validated
Assigned finding tags:

unclaimable treasure / bricked withdraw path

The issue stems from a mismatch between the circuit and the contract’s economic assumptions: the Solidity contract is configured for `MAX_TREASURES = 10` and only allows the owner to call `withdraw()` once `claimsCount >= MAX_TREASURES`, while the Noir circuit’s baked-in `ALLOWED_TREASURE_HASHES` array does not actually contain ten distinct treasures because one hash is duplicated and another expected hash is missing. As a result, under the intended one-claim-per-treasure design described in the README, there are only nine uniquely claimable treasures even though the system is funded and accounted as if ten rewards can be legitimately redeemed. That creates two linked consequences from the same root cause: first, one treasure is effectively unclaimable because no valid proof can ever be generated for the missing allowed hash, and second, the normal “hunt over” withdrawal path becomes bricked because honest participants can never reach ten legitimate unique claims, leaving the post-hunt fund recovery logic via `withdraw` function permanently unreachable. The owner can still intervene through the emergency path.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!